New SYSBACKUP, SYSDG and SYSKM Administrative Users in Oracle 12c

Large enterprise database environments have dedicated DBAs performing specific database roles. Some of these specific roles include database storage management, tuning, backup and recovery, etc. Inside these organizations there has been growing emphasis on the establishment and use of the SOD (Segregation of Duties) concept company-wide.

Use of SOD ensures that the core business tasks are divided between different users and that each of them have a clear set of duties assigned. Also it guarantees that none of theses users have related set of duties or privileges which can use in combination, to perform harmful operations.

SYSBACKUP, SYSDG and SYSKM Administrative Users in Oracle 12c

Previously all Oracle DBA related activities were either performed using the powerful SYSDBA or the SYSOPER role. In support of the SOD requirements starting with Oracle 12c, new administrative roles have been introduced to conform to the principle of access to the least privilege.

Three new user SYSBACKUP, SYSDG and SYSKM are created in support of this, when the database is created, with their account in the “EXPIRED & LOCKED” status. A equivalent administrative privilege with the same name as the user is created as well.

SYSBACKUP will be used to perform all backup and recovery related operations either via RMAN or SQL*PLUS. Here you can find a complete list of SYSBACKUP privileges you are assigned when logged in with the SYSBACKUP administrative privilege.

SYSDG is in place to separate the Data Guard related operations from other activities. Here you can find a complete list of SYSDG privileges you are assigned when logged in with the SYSDG administrative privilege.

SYSKM will be responsible for all TDE (Transparent Data Encryption) and Data Vault related administrative operations. Here you can find a complete list of SYSKM privileges you are assigned when logged in with the SYSKM administrative privilege.

None of these new database roles can be dropped. They have enough privileges that using them user can connect to database even if it is closed. Also all these roles are incorporated into the Oracle database Vault. Actions performed using these privilege can be audited if AUDIT_SYS_OPERATIONS is set to true.

Add New Privileges to Password File

When a user needs to connect to the database using the SYSBACKUP, SYSDG or SYSKM adminstrative privilege the user must me be added to the password file with the appropriate user privilege flag. The option to include these new privileges has been added to the orapwd utility.

Current Schema and Session for SYSBACKUP, SYSDG and SYSKM
When a user is connected using any of these admin privileges, the schema that they are assigned to is the SYS schema and the session name corresponds to the privilege name that they are using.

New Database Role OS Group

To further ensure the separation of access to the new SYSBACKUP, SYSDG and SYSKM privileges, Oracle recommends mapping them to the new OSBACKUPDBA, OSDGDBA and OSKMDBA operating system groups respectively.

SYSBACKUP

BACKUPDBA

SYSDG

DGDBA

SYSKM

KMDBA

Summary
With the introduction of the new Database Administration users and the scaled down privileges, implementing segregation of duties is indeed possible.

Further by providing the flexibility to only assign the required DBA privilege and mapping it to the specific OS role groups, accountability on the use of the specific role is made easier.

Join over 3,000 others My posts. Your Inbox. Beautiful.

Database GoldenGate

About Natik Ameen

Natik Ameen is an Oracle Production DBA, Oracle Certified RAC Expert and a DBA track Certification trainer for over 17 years. He is an Oracle Evangelist and has presented at IOUG & UTOUG conferences. He writes on topics such as Database Administration, RAC, GoldenGate and the Cloud. Stay connected with Natik at LinkedIn or FaceBook.